usfrank02 / devOps

Repository for posting issues
0 stars 0 forks source link

IPsec VPN between Centos7 and cisco router issues #1

Open usfrank02 opened 6 years ago

usfrank02 commented 6 years ago

Hi Team,

It's my first time to create a site to site VPN between a linux server and a cisco router. I've been trying to dig deep, goggling to get a solution in vain. Below are the error messages I am facing.

hecking if IPsec got installed and started correctly:

Version check and ipsec on-path [OK] Openswan U2.6.50/K3.10.0-693.11.6.el7.x86_64 (netkey) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

     ICMP default/accept_redirects              [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

     XFRM larval drop                           [OK]

Hardware random device check [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/enp0s9/rp_filter [ENABLED] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK]

ipsec verify: encountered errors

When I check on the router side I get the following error:

IPSEC (Key_engine):got a queue event with 1 KMI message (s)

Which is the error coming from the remote host i.e the Centos7 server using openswan for IPsec VPN setup. Kindly help me to find the fix

usfrank02 commented 6 years ago

The configurations made on openswan into /etc/ipsec.config directory are below:

config setup

dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn Branch1

    type=tunnel
    left=172.16.10.254
    leftsubnet=192.168.122.0/24
    leftid=172.16.10.254
    right=172.16.10.251
    rightsubnet=192.168.2.0/24
    rightid=172.16.10.251
    authby=secret
    aggrmode=no
    #phase 1#
    keyexchange=ike
    ike=3des-md5-modp1536
    ikelifetime=3600s
    #phase 2 #
    phase2=esp
    phase2alg=3des-md5
    pfs=no
   # salifetime=86400s
    auto=start
usfrank02 commented 6 years ago

Any help please? I am blocked